Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1009
Views
0
Helpful
2
Replies

IOS: Forced use of IKEv2.

Go to solution
dinger.sergey
Level 1
Level 1

‎09-03-2018 06:29 AM

The settings are performed between two cisco 3925e v.15.6 (3) .M5

When I try to raise a VTI IPSec tunnel using IKEv2, the first phase is raised using isakmp (IKEv1).

#show crypto isakmp sa detail | i 192.168.254.119
1009  192.168.254.118 192.168.254.119        ACTIVE aes  sha256 psk  5  01:48:52 D

To refuse from isakmp there is no possibility. VRF is not used (and as far as I understand it will not solve the problem).

Can I prioritize IKEv2 higher than IKEv1? Or tie a certain "ikev2 policy" to a specific tunnel?

Config (truncated):

R1:

crypto isakmp policy 1
 encr aes 256
 hash sha256
 authentication pre-share
 group 5
 lifetime 7200

crypto ikev2 proposal GCM256
 encryption aes-gcm-256
 prf sha256
 group 19

crypto ikev2 policy GCM256
 match address local 192.168.254.118
 proposal GCM256

crypto ikev2 keyring INNER
 peer INNER-SITE
  description === INNER-SITE ===
  address 192.168.254.119
  pre-shared-key 123123

crypto ikev2 profile INNER
 description === INNER ===
 match identity remote any
 authentication local pre-share
 authentication remote pre-share
 keyring local INNER
 lifetime 7200

crypto ipsec transform-set GCM256 esp-gcm 256
 mode tunnel

crypto ipsec profile GCM256
 set transform-set GCM256
 set pfs group19

interface Tunnel0
 ip address 10.0.0.2 255.255.255.252
 tunnel source 192.168.254.118
 tunnel mode ipsec ipv4
 tunnel destination 192.168.254.119
 tunnel protection ipsec profile GCM256

R2:

crypto isakmp policy 1
 encr aes 256
 hash sha256
 authentication pre-share
 group 5
 lifetime 7200

crypto ikev2 proposal GCM256
 encryption aes-gcm-256
 prf sha256
 group 19

crypto ikev2 policy GCM256
 match address local 192.168.254.119
 proposal GCM256

crypto ikev2 keyring INNER
 peer INNER-SITE
  description === INNER-SITE ===
  address 192.168.254.118
  pre-shared-key 123123

crypto ikev2 profile INNER
 description === INNER ===
 match identity remote any
 authentication local pre-share
 authentication remote pre-share
 keyring local INNER
 lifetime 7200

crypto ipsec transform-set GCM256 esp-gcm 256
 mode tunnel

crypto ipsec profile GCM256
 set transform-set GCM256
 set pfs group19

interface Tunnel0
 ip address 10.0.0.1 255.255.255.252
 tunnel source 192.168.254.119
 tunnel mode ipsec ipv4
 tunnel destination 192.168.254.118
 tunnel protection ipsec profile GCM256
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎09-03-2018 06:58 AM

Hi,

You should reference the IKEv2 Profile in the IPSec profile, e.g:-

 

crypto ipsec profile GCM256
 set ikev2-profile INNE

 HTH

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Rob Ingram
VIP
VIP

‎09-03-2018 06:58 AM

Hi,

You should reference the IKEv2 Profile in the IPSec profile, e.g:-

 

crypto ipsec profile GCM256
 set ikev2-profile INNE

 HTH

0 Helpful

Go to solution
dinger.sergey
Level 1
Level 1
In response to Rob Ingram

‎09-03-2018 08:29 AM

Thank you, RJI.

I tried it before, but it did not work for me. I tried again, but it did not work until I made "sh" & "no sh" on the interface.

0 Helpful
Customers Also Viewed These Support Documents